Awesome Open Source
Awesome Open Source

Dumproid

GitHub release License: MIT

Dumproid is Android process memory dump tool without ndk. It is dumping memory from /proc/<pid>/mem.

Installation

Download the binary from GitHub Releases and push it to android using adb.

$ adb push dumproid /data/local/tmp/dumproid

How to Build

You need Go 1.13 compiler. After the build is complete, if adb is connected, place the built binary in /data/local/tmp/ on Android.

$ make
GOOS=linux GOARCH=arm64 GOARM=7 go build -o dumproid
/bin/sh -c "adb push dumproid /data/local/tmp/dumproid"
dumproid: 1 file pushed. 24.1 MB/s (4977746 bytes in 0.197s)

Usage

Start-up

When android device is rooted:

$ adb shell
$ su
# /data/local/tmp/dumproid -p <PID> <some option>
               
██████╗ ██╗   ██╗███╗   ███╗██████╗ ██████╗  ██████╗ ██╗██████╗
██╔══██╗██║   ██║████╗ ████║██╔══██╗██╔══██╗██╔═══██╗██║██╔══██╗
██║  ██║██║   ██║██╔████╔██║██████╔╝██████╔╝██║   ██║██║██║  ██║
██║  ██║██║   ██║██║╚██╔╝██║██╔═══╝ ██╔══██╗██║   ██║██║██║  ██║
██████╔╝╚██████╔╝██║ ╚═╝ ██║██║     ██║  ██║╚██████╔╝██║██████╔╝
╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝     ╚═╝  ╚═╝ ╚═════╝ ╚═╝╚═════╝

When the target app is debuggable and android device is not rooted:

$ adb shell
$ pm list packages # to check <target-package-name>
# run-as <target-package-name>
# cp /data/local/tmp/dumproid ./dumproid
# ./dumproid <some option>
               
██████╗ ██╗   ██╗███╗   ███╗██████╗ ██████╗  ██████╗ ██╗██████╗
██╔══██╗██║   ██║████╗ ████║██╔══██╗██╔══██╗██╔═══██╗██║██╔══██╗
██║  ██║██║   ██║██╔████╔██║██████╔╝██████╔╝██║   ██║██║██║  ██║
██║  ██║██║   ██║██║╚██╔╝██║██╔═══╝ ██╔══██╗██║   ██║██║██║  ██║
██████╔╝╚██████╔╝██║ ╚═╝ ██║██║     ██║  ██║╚██████╔╝██║██████╔╝
╚═════╝  ╚═════╝ ╚═╝     ╚═╝╚═╝     ╚═╝  ╚═╝ ╚═════╝ ╚═╝╚═════╝

Dump memory

Dump To File

Permissions like rwxs can be specified as a filter. By default, files are dumped under /data/local/tmp/.

sargo:/ # /data/local/tmp/dumproid -q -p 24264 --filter rw-p 
Output Dir: /data/local/tmp/20200315194818
  Dump File: 12c00000-131c0000__dev_ashmem_dalvik-main_space_(region_space)_(deleted)
  Dump File: 13340000-2ac00000__dev_ashmem_dalvik-main_space_(region_space)_(deleted)
  Dump File: [email protected]@boot.art
  Dump File: [email protected]@boot-core-libart.art
  Dump File: [email protected]@boot-conscrypt.art
  Dump File: [email protected]@boot-okhttp.art
  Dump File: [email protected]@boot-bouncycastle.art
  Dump File: [email protected]@boot-apache-xml.art
  Dump File: [email protected]@boot-ext.art
  Dump File: [email protected]@boot-framework.art
  Dump File: [email protected]@boot-telephony-common.art
  Dump File: [email protected]@boot-voip-common.art
  Dump File: [email protected]@boot-ims-common.art
  Dump File: [email protected]@boot-android.hidl.base-V1.0-java.art
  Dump File: [email protected]@boot-android.hidl.manager-V1.0-java.art
  Dump File: [email protected]@boot-framework-oahl-backward-compatibility.art
  Dump File: [email protected]@boot-android.test.base.art
  Dump File: 70365000-70366000_[anon:.bss]
  Dump File: 707e5000-707e6000__system_framework_arm_boot.oat

Transfer dumped files to your PC using adb pull:

$ adb pull /data/local/tmp/20200315194818 
/data/local/tmp/20200315194818/: 736 files pulled. 30.0 MB/s (583184384 bytes in 18.552s)

Print hexdump

Use the dump option to display memory like a hexdump.

sargo:/ # /data/local/tmp/dumproid -q -p 24264 -a 0xf0c9e000 --dump                                                                                                         
00000000  00 40 00 00 d0 60 b7 f0  01 00 00 00 14 71 b7 f0  |[email protected]`.......q..|
00000010  2d 33 bf f0 00 00 00 00  00 00 00 00 1c e0 c9 f0  |-3..............|
00000020  2f 73 79 73 74 65 6d 2f  62 69 6e 2f 6c 69 6e 6b  |/system/bin/link|
00000030  65 72 00 00 1d 00 00 00  02 00 00 00 00 10 00 00  |er..............|
00000040  40 e0 c9 f0 40 e0 c9 f0  35 d7 c2 f0 4c e0 c9 f0  |@[email protected]|
00000050  4c e0 c9 f0 00 00 00 00  00 00 00 00 ca 82 c8 f0  |L...............|
00000060  00 00 00 00 ff ff ff ff  00 00 00 00 e1 82 c8 f0  |................|
00000070  00 00 00 00 ff ff ff ff  00 00 00 00 95 26 c3 f0  |.............&..|
00000080  00 00 00 00 00 00 00 00  f3 82 c8 f0 00 00 00 00  |................|
00000090  ff ff ff ff fe 00 00 00  09 83 c8 f0 00 00 00 00  |................|
000000a0  ff ff ff ff fe 00 00 00  59 27 c3 f0 ac e0 c9 f0  |........Y'......|
000000b0  ac e0 c9 f0 27 28 c8 f0  79 27 c3 f0 b1 27 c3 f0  |....'(..y'...'..|
000000c0  d5 27 c3 f0 f1 27 c3 f0  f5 28 c3 f0 61 29 c3 f0  |.'...'...(..a)..|
000000d0  c9 29 c3 f0 4d 2a c3 f0  ad 2a c3 f0 0d 2b c3 f0  |.)..M*...*...+..|
000000e0  1d 2b c3 f0 99 2b c3 f0  e8 e0 c9 f0 e8 e0 c9 f0  |.+...+..........|
000000f0  f0 e0 c9 f0 f0 e0 c9 f0  f8 e0 c9 f0 f8 e0 c9 f0  |................|

Check memory mapping

Use the maps option to display memory mapping.

sargo:/ # /data/local/tmp/dumproid -q -p 24264 --maps --filter rw-p                                                                                                         
12c00000-131c0000 rw-p 00000000 00:05 23292                              /dev/ashmem/dalvik-main space (region space) (deleted)
13340000-2ac00000 rw-p 00740000 00:05 23292                              /dev/ashmem/dalvik-main space (region space) (deleted)
6f181000-6f3a6000 rw-p 00000000 fd:01 221                                /data/dalvik-cache/arm/[email protected]@boot.art
6f3bc000-6f4b3000 rw-p 00000000 fd:01 229                                /data/dalvik-cache/arm/[email protected]@boot-core-libart.art
6f4c5000-6f4f6000 rw-p 00000000 fd:01 232                                /data/dalvik-cache/arm/[email protected]@boot-conscrypt.art
6f4f9000-6f526000 rw-p 00000000 fd:01 235                                /data/dalvik-cache/arm/[email protected]@boot-okhttp.art
6f529000-6f57f000 rw-p 00000000 fd:01 240                                /data/dalvik-cache/arm/[email protected]@boot-bouncycastle.art
6f586000-6f5db000 rw-p 00000000 fd:01 250                                /data/dalvik-cache/arm/[email protected]@boot-apache-xml.art
6f5e2000-6f61d000 rw-p 00000000 fd:01 263                                /data/dalvik-cache/arm/[email protected]@boot-ext.art
6f628000-6fe2a000 rw-p 00000000 fd:01 270                                /data/dalvik-cache/arm/[email protected]@boot-framework.art
6fe8a000-6ff6c000 rw-p 00000000 fd:01 275                                /data/dalvik-cache/arm/[email protected]@boot-telephony-common.art
6ff7e000-6ff89000 rw-p 00000000 fd:01 278                                /data/dalvik-cache/arm/[email protected]@boot-voip-common.art
6ff8b000-6ffa0000 rw-p 00000000 fd:01 281                                /data/dalvik-cache/arm/[email protected]@boot-ims-common.art
6ffa2000-6ffa5000 rw-p 00000000 fd:01 284                                /data/dalvik-cache/arm/[email protected]@boot-android.hidl.base-V1.0-java.art
6ffa5000-6ffa9000 rw-p 00000000 fd:01 287                                /data/dalvik-cache/arm/[email protected]@boot-android.hidl.manager-V1.0-java.art
6ffab000-6ffac000 rw-p 00000000 fd:01 290                                /data/dalvik-cache/arm/[email protected]@boot-framework-oahl-backward-compatibility.art
6ffad000-6ffb0000 rw-p 00000000 fd:01 293                                /data/dalvik-cache/arm/[email protected]@boot-android.test.base.art
70365000-70366000 rw-p 00000000 00:00 0                                  [anon:.bss]
707e5000-707e6000 rw-p 003b4000 103:25 603                               /system/framework/arm/boot.oat
70967000-70968000 rw-p 00000000 00:00 0                                  [anon:.bss]
70c61000-70c62000 rw-p 00182000 103:25 601                               /system/framework/arm/boot-core-libart.oat
...

License

GPLv3 - GNU General Public License, version 3

Copyright (C) 2020 tkmru


Get A Weekly Email With Trending Projects For These Topics
No Spam. Unsubscribe easily at any time.
Go (196,482
Forensics (498
Related Projects